Skip to content

K
kernel_linux

OpenHarmony / kernel_linux
上一次同步 3 年多

通知 13
Star 8
Fork 2
K
kernel_linux
提交 7d4372b5 编写于 作者: P Patrick McHardy 提交者: David S. Miller
浏览文件
操作

[PPPOL2TP]: Fix use-after-free 

Don't use skb->len after passing it to ip_queue_xmit.
Signed-off-by: NPatrick McHardy <kaber@trash.net>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 99acaeb9
隐藏空白更改
内联 并排
Showing with 8 addition and 4 deletion
drivers/net/pppol2tp.c
浏览文件 @ 7d4372b5
...@@ -824,6 +824,7 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh ...@@ -824,6 +824,7 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh
struct pppol2tp_session *session; struct pppol2tp_session *session;
struct pppol2tp_tunnel *tunnel; struct pppol2tp_tunnel *tunnel;
struct udphdr *uh; struct udphdr *uh;
unsigned int len;
error = -ENOTCONN; error = -ENOTCONN;
if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED)) if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED))
...@@ -912,14 +913,15 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh ...@@ -912,14 +913,15 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh
} }
/* Queue the packet to IP for output */ /* Queue the packet to IP for output */
len = skb->len;
error = ip_queue_xmit(skb, 1); error = ip_queue_xmit(skb, 1);
/* Update stats */ /* Update stats */
if (error >= 0) { if (error >= 0) {
tunnel->stats.tx_packets++; tunnel->stats.tx_packets++;
tunnel->stats.tx_bytes += skb->len; tunnel->stats.tx_bytes += len;
session->stats.tx_packets++; session->stats.tx_packets++;
session->stats.tx_bytes += skb->len; session->stats.tx_bytes += len;
} else { } else {
tunnel->stats.tx_errors++; tunnel->stats.tx_errors++;
session->stats.tx_errors++; session->stats.tx_errors++;
...@@ -958,6 +960,7 @@ static int pppol2tp_xmit(struct ppp_channel *chan, struct sk_buff *skb) ...@@ -958,6 +960,7 @@ static int pppol2tp_xmit(struct ppp_channel *chan, struct sk_buff *skb)
__wsum csum = 0; __wsum csum = 0;
struct sk_buff *skb2 = NULL; struct sk_buff *skb2 = NULL;
struct udphdr *uh; struct udphdr *uh;
unsigned int len;
if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED)) if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED))
goto abort; goto abort;
...@@ -1050,14 +1053,15 @@ static int pppol2tp_xmit(struct ppp_channel *chan, struct sk_buff *skb) ...@@ -1050,14 +1053,15 @@ static int pppol2tp_xmit(struct ppp_channel *chan, struct sk_buff *skb)
skb2->dst = sk_dst_get(sk_tun); skb2->dst = sk_dst_get(sk_tun);
/* Queue the packet to IP for output */ /* Queue the packet to IP for output */
len = skb2->len;
rc = ip_queue_xmit(skb2, 1); rc = ip_queue_xmit(skb2, 1);
/* Update stats */ /* Update stats */
if (rc >= 0) { if (rc >= 0) {
tunnel->stats.tx_packets++; tunnel->stats.tx_packets++;
tunnel->stats.tx_bytes += skb2->len; tunnel->stats.tx_bytes += len;
session->stats.tx_packets++; session->stats.tx_packets++;
session->stats.tx_bytes += skb2->len; session->stats.tx_bytes += len;
} else { } else {
tunnel->stats.tx_errors++; tunnel->stats.tx_errors++;
session->stats.tx_errors++; session->stats.tx_errors++;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册